Selling cloud services to the federal government is a rigorous process. Documentation, not to the mention the word 'No,' play a big part. Here veterans of the FedRAMP cloud certification process share some tips and dispel some myths.

Sorry

WASHINGTON — Of the roughly $80 billion the federal government spends on IT each year, an increasing share is heading to cloud service providers.

Is it any wonder, then, that cloud vendors large and small are queuing up to solicit contracts from the country's single largest IT buyer?

Attitudes about the cloud are changing in the federal government. Advocates of flexible, usage-based technology are even winning converts among the hardline "rack huggers," says Maria Roat, the director of FedRAMP. Short for Federal Risk and Authorization Management Program, FedRAMP is the government's central security certification program that evaluates cloud offerings from the private sector.

"I think the outcome of this is proving that the cloud is secure," she says. "Things are moving and that culture is changing and that perception is changing."

But doing business with the government is not, to borrow an industry phrase, a turnkey exercise. There's also considerable confusion about what's still a relatively new process. A group of experts from industry and government recently gathered in the nation's capital to offer some best practices and bust some myths about the FedRAMP process.

Know What You're Getting Into

Doing business with the government can be a jolt for some conventional business-to-business enterprises. Tech leaders who've gone through the review process stress that newcomers should go into it with appropriate expectations. Some things are non-negotiable, and there are no guarantees — save for the fact that the review process will be costly and time-consuming.

That means that businesses shouldn't take things lightly and must be prepared to commit resources to the effort, says John Keese, president and CEO of Autonomic Resources, a cloud provider that has gone through the FedRAMP process.

"Embrace the process, because you're not going to change the process. This is not a paper process," Keese says. "It's clear that management has to support the endeavors of the FedRAMP accreditation process. It's clear the staff will have to spend an inordinate amount of time."

Keese continues: "This is not a contractual process, so nobody's paying for any of these efforts. The government is not paying for these efforts. Staff has to be assigned with no promise of any revenue until you're accredited. And that's a reality check."

Weigh Centralized vs. Agency-specific Cloud Options

One of the first decisions cloud providers angling for government contracts will have to determine is whether to target their services to a single agency, and navigate an agency-specific approval process, or to make their offerings available across the federal government. If it's the latter, they will have to submit to what is generally a more rigorous review by the Joint Authorization Board, or JAB, which is comprised of tech experts from the General Services Administration (GSA) and the Departments of Defense and Homeland Security.

"The bar for what the JAB will accept or risk is pretty high," says Roat. "When you're looking at the risk posture, [individual] agencies can accept risk more readily."

While the JAB review may be tougher, and drag on for months, the companies that come through it have an instantly recognizable credential that signifies to all agencies that their services have been vetted and proven secure.

"If you can get through that, then it is kind of a single line drawn in the sand that everyone can look at," says Susie Adams, CTO of Microsoft's federal division.

Prepare for Scrutiny

FedRAMP evaluators are professional sticklers. Vendors looking to win certification must be prepared to lay their cards on the table. In all likelihood, this will mean furnishing more documentation for, and allowing the government to peer more deeply into, the technology than they are accustomed to with private-sector clients.

"Be prepared to be transparent, because there will be a lot of eyeballs on your solutions, and transparency is a requirement," Keese says, adding that JAB reviews aren't necessarily a group that's simply "willing to … take your word for it."

Remember, FedRAMP Isn't Just the Feds

By June, all federal agencies are expected to have their cloud service providers meet baseline FedRAMP guidelines. That doesn't mean that every cloud provider will have to have been certified by the JAB, but they must at least meet the standards that agencies have devised on their own, patterned after the FedRAMP template.

It's not just the U.S. government that's paying attention to the FedRAMP standard, though. Companies that can boast that they have received the certification might find it easier to do business with other government entities — at home and abroad — that want to go to the cloud but still worry about cloud security.

"Other countries are looking at this, and they're looking at this in depth," Adams says. "So now we're seeing RFPs come out in other countries and state and local governments that say if you're FedRAMP-certified, we're good."

Nor Are FedRAMP Clouds Limited to Government Applications

The notion that a FedRAMP-approved cloud can only house government data and applications is fiction, according to Adams.

"FedRAMP doesn't say that it has to be a government-community cloud, and there is no law on the books that I know of that says what users can be in a government-community cloud," Adams says. The so-called "industry definition," set by Google years ago to dictate how to create government-community cloud with federal, state, local and tribal authorities, was done largely to align with purchasing off a GSA schedule. (Plus, if you think about it, tribal regions include casinos, she says.)

In the context of cloud, a community is typically defined as tenants with "like interests and like security controls," Adams explains. Within the government, those controls can vary widely from classified military or intelligence information to small civilian agencies that mostly trade in publicly available data.

Adams acknowledges that there are considerable nuances among the agencies but stresses that there's no blanket embargo on cloud deployments that house government and non-government data or applications: "It's not a part of FedRAMP. You don't need to comply with that."